Merge pull request #2686 from enkore/docs/i2651

init: note possible denial of service with "none" mode

docs/borg_theme/css/borg.css

@@ -61,6 +61,14 @@ dt code {
     border-right: 2px solid #4e4a4a;;
 }
 
+/* the rtd theme has "nowrap" here which causes tables to have scroll bars.
+ * undo that setting. it does not seem to cause issues, even when making the
+ * viewport narrow.
+ */
+.wy-table-responsive table td, .wy-table-responsive table th {
+    white-space: normal;
+}
+
 p .literal,
 p .literal span {
     border: none;
@@ -73,8 +81,8 @@ cite {
     white-space: nowrap;
     color: black; /* slight contrast with #404040 of regular text */
     font-size: 75%;
-    font-family: Consolas,"Andale Mono WT","Andale Mono","Lucida Console","Lucida Sans Typewriter",
+    font-family: Consolas, "Andale Mono WT", "Andale Mono", "Lucida Console", "Lucida Sans Typewriter",
-    "DejaVu Sans Mono","Bitstream Vera Sans Mono","Liberation Mono","Nimbus Mono L",Monaco,"Courier New",Courier,monospace;
+    "DejaVu Sans Mono", "Bitstream Vera Sans Mono", "Liberation Mono", "Nimbus Mono L", Monaco, "Courier New", Courier, monospace;
     font-style: normal;
     text-decoration: underline;
 }

src/borg/archiver.py

@@ -2449,16 +2449,23 @@ def define_common_options(add_common_option):
         Encryption modes
         ++++++++++++++++
 
+        .. nanorst: inline-fill
+
         +----------+---------------+------------------------+--------------------------+
         | Hash/MAC | Not encrypted | Not encrypted,         | Encrypted (AEAD w/ AES)  |
         |          | no auth       | but authenticated      | and authenticated        |
         +----------+---------------+------------------------+--------------------------+
-        | SHA-256  | none          | authenticated          | repokey, keyfile         |
+        | SHA-256  | none          | `authenticated`        | repokey                  |
+        |          |               |                        | keyfile                  |
         +----------+---------------+------------------------+--------------------------+
-        | BLAKE2b  | n/a           | authenticated-blake2   | repokey-blake2,          |
+        | BLAKE2b  | n/a           | `authenticated-blake2` | `repokey-blake2`         |
-        |          |               |                        | keyfile-blake2           |
+        |          |               |                        | `keyfile-blake2`         |
         +----------+---------------+------------------------+--------------------------+
 
+        .. nanorst: inline-replace
+
+        `Marked modes` are new in Borg 1.1 and are not backwards-compatible with Borg 1.0.x.
+
         On modern Intel/AMD CPUs (except very cheap ones), AES is usually
         hardware-accelerated.
         BLAKE2b is faster than SHA256 on Intel/AMD 64-bit CPUs
@@ -2491,7 +2498,8 @@ def define_common_options(add_common_option):
 
         `none` mode uses no encryption and no authentication. It uses SHA256 as chunk
         ID hash. Not recommended, rather consider using an authenticated or
-        authenticated/encrypted mode.
+        authenticated/encrypted mode. This mode has possible denial-of-service issues
+        when running ``borg create`` on contents controlled by an attacker.
         Use it only for new repositories where no encryption is wanted **and** when compatibility
         with 1.0.x is important. If compatibility with 1.0.x is not important, use
         `authenticated-blake2` or `authenticated` instead.

src/borg/nanorst.py

@@ -58,6 +58,7 @@ def rst_to_text(text, state_hook=None, references=None):
     state_hook = state_hook or (lambda old_state, new_state, out: None)
     references = references or {}
     state = 'text'
+    inline_mode = 'replace'
     text = TextPecker(text)
     out = io.StringIO()
 
@@ -117,17 +118,26 @@ def rst_to_text(text, state_hook=None, references=None):
                 directive, is_directive, arguments = text.readline().partition('::')
                 text.read(1)
                 if not is_directive:
+                    # partition: if the separator is not in the text, the leftmost output is the entire input
+                    if directive == 'nanorst: inline-fill':
+                        inline_mode = 'fill'
+                    elif directive == 'nanorst: inline-replace':
+                        inline_mode = 'replace'
                     continue
                 process_directive(directive, arguments.strip(), out, state_hook)
                 continue
         if state in inline_single and char == state:
             state_hook(state, 'text', out)
             state = 'text'
+            if inline_mode == 'fill':
+                out.write(2 * ' ')
             continue
         if state == '``' and char == next == '`':
             state_hook(state, 'text', out)
             state = 'text'
             text.read(1)
+            if inline_mode == 'fill':
+                out.write(4 * ' ')
             continue
         if state == '**' and char == next == '*':
             state_hook(state, 'text', out)